Dubbed “Wp-Ved,” after the name of the .php file bearing the malicious payload, the attack was relatively small in its scope and scale, with a few scattered attacks starting in the summer and continuing in sporadic fashion to this very day.
Apparently, the hackers who own the code learned what they needed to, and recently an updated variant of the malware has been spotted in the wild.
The malware is not subtle. It doesn’t try to hide what it’s doing in the least. It simply injects malicious code into legitimate files, focusing on old WordPress default themes such as “Twentyfifteen” and “Twentysixteen.”
Once the code is in place, it works quickly to create a new Admin user with the name “100010010,” which gives the hackers a back door they can use to launch other scripted attacks at their discretion.
Again, owing to the completely un-subtle nature of the code, any user who is running any sort of web application firewall (WAF) would be completely immune to this type of attack, as the WAF would have spotted it immediately and shut it down before it could do any damage. Sadly, a significant percentage of webmasters running WordPress sites don’t take advantage of this sort of protection.
Although this isn’t a large scale, coordinated attack, given the sheer number of WordPress sites on the web, it’s something to be mindful of. As to the damage the hackers could cause if you are infected, unfortunately, the sky’s the limit. Once they’ve got an Admin-level backdoor to work with, there’s not much they couldn’t do, so if you run a WordPress-based site, it’s worth your time to check to see if you’ve been infected. If you have, you’re sitting on a ticking time bomb.
As to how you can protect yourself, the first step is, of course, to delete the files containing the malicious code.
Once that’s done, disable and delete the rogue Admin account, and if one is available, begin making use of a web application firewall so that you can avoid any problems with Wp-Ved in the future.
The WordPress community is, on the whole, quite good at rooting out malware designed to work against the platform. However, this is certainly not the first such campaign hackers have gotten past the active community’s defenses, nor will it be the last.
Just recently, for example, security researchers found vulnerabilities in two of the platform’s most popular plugins, Yoast SEO and Formidable Forms.
In the case of the Yoast security flaw, it has been patched as of version 5.8 of the plugin, so if you use Yoast, be sure you’re using the most up-to-date version.
The bug in the Formidable Forms plugin was patched in version 2.05.02 and higher, so again, if you’re using this plugin on your website, be sure you’ve got the latest and greatest installed.